# DFIR-02 : Journal Forensics ## NTFS Journaling (Transaction Logging) Windows NTFS uses a journaling technique that records a sequence of file changes in the *$LogFile.* Windows does a good job at maintaining data consistency after critical failures that cause the system to shut down unexpectedly. Specifically, NTFS logs file transactions when: * **Creating a file** * **Deleting a file** * **Extending a file** * **Truncating a file** * **Setting file information** * **Renaming a file** * **Change the security applied to a file** The previously analyzed **$MFT** file keeps a **$LogFile** Transaction entry at offset **08** to **15** and this is how MFT correlates with other metadata attributes in the NTFS file system. ![$MFT $LogFile Transaction Entry](/files/-MOmFHk2PpABNQj99wtJ) From a forensics' perspective these records are valuable when it comes to creating a timeline of transactions. ## NTFS change tracking journals : ### $UsnJrnl: * Tracks file and directories changed on the system via the USN (Update Sequence Number) journal. * Available in the root directory under $Extend folder. * Contains two ADS (alternate data stream) : * **$Max** : Where the meta data of change log is stored * **$J** : Where the actual change log records are stored. ### $LogFile: * Track changes to MFT metadata. * Available at the root directory. ## Tools In order to parse these journals here are some great free tools : * [UsnJrnl2Csv](https://github.com/jschicht/UsnJrnl2Csv) * [Triforce ANJP](https://www.gettriforce.com/product/anjp-free/) * [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape) ## Tutorial Here is a great video by [@13cubed](https://twitter.com/13CubedDFIR) on how to parse and use these journals : {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.unh4ck.com/dfir/dfir-02-journal-forensics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.